03.11.04 —
What this control requires
Source: NIST SP 800-171 R3 §03.11.04 (official control text).
Why this matters
Risk response transforms vulnerability findings into actionable decisions. When security assessments reveal gaps—unpatched servers, misconfigured access controls, or policy violations—the organization must formally decide: accept the risk, mitigate it immediately, or create a remediation plan. This control prevents discovered vulnerabilities from languishing in reports without action. It protects the organization from repeated exploitation of known weaknesses and demonstrates to auditors that security findings drive operational change, not just documentation. A documented risk response process ensures every identified threat receives a deliberate decision and, when mitigation cannot be immediate, a tracked remediation plan.
What evidence assessors expect
Assessors typically look for: PDF, screenshot, CSV export, signed letter. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
See your live posture on 03.11.04.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →